Hi there,
I've got an interesting problem with Exim on a debian jessie system where exim is installed through apt. I would like to use DKIM, but it seems that exim is unable to read the DKIM keyfile, giving the following error:unable to open private key file for reading: /path/to/keyfile
I'd like to use the ssl-cert group to allow Exim to read the keyfile, so my permissions are as follows:
Not working, but the way I want it: keyfile - owner: root, group: ssl-cert, chmod 0440
Working, but not how I want it: keyfile - owner: root, group: Debian-exim, chmod 0440
The debian-exim user has a primary group of Debian-exim and a secondary group ssl-cert. I have restarted exim since applying this.
I have confirmed that when I login as the debian-exim user manually I -can- read the keyfile perfectly fine (with root:ssl-cert).
I have also confirmed that exim itself does run with both the group Debian-exim and ssl-cert, through /proc/<exim_pid>/status (under "Groups")
This makes me believe that exim is internally dropping the secondary group privileges and is only running with Debian-exim as owner/group, ignoring any secondary group permissions.
I've heard on IRC it -might- be related to an exim feature called initgroups -> http://hep.itp.tuwien.ac.at/cgi-bin/info2www?(exim)initgroups+(pipe)
This defaults to false, but with my (fairly standard) setup of Exim (configured for only sending mail, no local delivery) under Debian I'm not sure where to configure this, there isn't any reference to initgroups at all in my config file.
Does anyone have any ideas about why the ssl-cert group is not functioning for mails sent through exim where exim has to read the dkim key?
Cheers!
[link] [comments]